diff options
| author | Brad Solomon <25164676+bsolomon1124@users.noreply.github.com> | 2021-09-09 08:11:51 -0400 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-01-17 08:59:43 +0100 |
| commit | 519b6d607076c29393ee6e9231c9c0e38a4b1f81 (patch) | |
| tree | daa0e7f08846414759037623cfedbdd94b29b881 | |
| parent | 92e10181787cb040760de52cf0ab0bc950494744 (diff) | |
[4.0.x] Fixed #33443 -- Clarified when PasswordResetView sends an email.
Backport of b55ebe32417e0884b6b8b3e1bc0379033aa221af from main
| -rw-r--r-- | docs/topics/auth/default.txt | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt index 23e0836d85..d099778836 100644 --- a/docs/topics/auth/default.txt +++ b/docs/topics/auth/default.txt @@ -1281,10 +1281,20 @@ implementation details see :ref:`using-the-views`. that can be used to reset the password, and sending that link to the user's registered email address. - If the email address provided does not exist in the system, this view - won't send an email, but the user won't receive any error message either. - This prevents information leaking to potential attackers. If you want to - provide an error message in this case, you can subclass + This view will send an email if the following conditions are met: + + * The email address provided exists in the system. + * The requested user is active (``User.is_active`` is ``True``). + * The requested user has a usable password. Users flagged with an unusable + password (see + :meth:`~django.contrib.auth.models.User.set_unusable_password`) aren't + allowed to request a password reset to prevent misuse when using an + external authentication source like LDAP. + + If any of these conditions are *not* met, no email will be sent, but the + user won't receive any error message either. This prevents information + leaking to potential attackers. If you want to provide an error message in + this case, you can subclass :class:`~django.contrib.auth.forms.PasswordResetForm` and use the ``form_class`` attribute. @@ -1298,13 +1308,6 @@ implementation details see :ref:`using-the-views`. that allows to send emails asynchronously, e.g. `django-mailer <https://pypi.org/project/django-mailer/>`_. - Users flagged with an unusable password (see - :meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't - allowed to request a password reset to prevent misuse when using an - external authentication source like LDAP. Note that they won't receive any - error message since this would expose their account's existence but no - mail will be sent either. - **Attributes:** .. attribute:: template_name |